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APPELLANTS' FOURTH APPEAL BRIEF 

Mail Stop Appeal Brief- Patents 
Commissioner for Patents 

P.O. Box 1450, 

Alexandria, Virginia 22313-1450 
Sir: 

This is the Applicants' Brief to maintain the appeal in the present application. It is 
responsive to the new grounds of rejection set forth in the pending "Office Action", 
mailed August 25, 2008 (Paper No. 20080820). 

Regarding fees, there is a fee difference of $15.00 for filing this Brief along with 
a two month extension. Please charge deposit account 504102 for the total fees of 
$260.00. 

Regarding the Notification of Non-Comphant Brief, dated March 6, 2009, the 
Brief filed on January 26, 2009 was rejected because [t]he argument section must match 
the grounds section insomuch as each grounds corresponds to a heading within the 
argument section." 
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It is believed tliat tlie headings of ttie Argument section match those of the Grounds 
section. The Grounds section of the January 26, 2009 Brief and this Brief are as follows: 

Issue: 1 Whether 1-10, 12, 17, and 35 are anticipated under 102(b) over Lermuzeaux (U.S. Patent 
No. 5,621,889). 

Issue: 2.Whether claims 11, 16, 19-23, 25-31 and 34 are unpatentable under 35 U.S.C. 103(a) 
over Lermuzeaux in further in view of Yadav (US PgPub 2003/0149888). 

Issue: 3. Whether claims 13, 14, and 18 are unpatentable under 35 U.S.C. 103(a) over Lermuzeaux 
as applied above, in further in view of Copeland (US PgPub 2002/0144156). 

Issue: 4.Whether claim 15 is unpatentable under 35 U.S.C. 103(a) over Lermuzeaux ia view of 
Copeland and further in view of Day (US Patent 7,017,186). 

Issue: 5.Whether claims 24 and 32 are impatentable under 35 U.S.C. 103(a) over Lermuzeaux ia 
view of Yadav as applied above, and further m view of Copeland. 

The headings from the Argument section of the January 26, 2009 Brief and this Brief are 
as folio w^s: 

With regard to Issue I on Appeal. Apphcants argue as follows: 
With regard to Issue 2 on Appeal. Applicants argue as follows : 
With regard to Issue 3 on Appeal. Applicants argue as follows : 
With regard to Issue 4 on Appeal Applicants argue as follows : 
With reg^d to Issue 5 on Appeal. Applicants argue as follows : 

For each "Issue" in the Grounds section, there is a corresponding heading in the 
Arguments section. Thus, it is believed January 26, 2009 Brief and this Brief satisfy the 
requirements of the rules and also meet the requirements set forth in the pending 
Notification of Non-Compliant Brief. 

Real Party in Interest 

Arbor Networks, Inc. is the real party in interest. 

Related Appeals and Interferences 

There are no related appeals or interferences. 
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Status of Claims 

Claims 1-32, 34 and 35 are pending in this application. Claim 33 was cancelled. 

Claims 1-32, 34 and 35 are rejected. The rejection of claims 1-32, 34 and 35 is being 
hereby appealed. 

Status of Amendments 

All amendments have been entered. There were no post final amendments or 

proposed amendments. 

Summary of Claimed Subject Matter 

Please note that in the following discussion, reference is made to the instant 

application as published: US Pat. Publ. No. US 2005/0005017A1. 

Claim 1 concems a system for controlling communications over a computer 
network. See US 2005/0005017A1 at Fig. 1 and paragraph [0034]. The system 
comprises: 

access control devices for the computer network that control communications 
between compartments of the computer network, see US 2005/00050 17A1 
at Fig. 1, reference number 1 14 and paragraph [0035]; 

attack detection system for determining whether the computer network may be 
under attack, see US 2005/0005017A1 at Fig. 1, reference number 1 12 
and paragraph [0035]; and 

a control plane for instructing the access control devices to allow network 
communications between the compartments of the computer network 
based on a usage model describing legitimate network communications 
while restricting other network communications between the 
compartments, in response to attack, see US 2005/00050 17A1 at Fig. 1, 
reference CP and paragraph [0036]. 

Claim 21 concems a method for responding to an attack on a computer network. 
See generally US 2005/00050 17A1 at Fig. 5. The method comprises: 
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generating a usage model for the computer network, see US 2005/00050 17A1 
at Fig. 3 reference 320 and paragraph [0067]; 

determining whether the computer network may be under attack, see US 
2005/00050 17A1 at Fig. 4A and 4B and paragraph [0072]; 

in response to detecting attack, determining characteristics of the attack, see 
US 2005/00050 17A1 at Fig. 4A reference 418 and paragraph [0080]; and 

generating instructions to access control devices compartmentalizing the 

computer network in response to the characteristics of the attack, wherein 
the step of generating instructions to the access control devices comprises 
formulating pass and/or blocking rules for the access control devices in 
response to protocol characteristics and/or port characteristic of the attack, 
see US 2005/00050 17A1 at Fig. 5 reference 524 and paragraphs [0105] 
and[114]-[117]; 

issuing the instructions to the access control device which then 

compartmentalize the computer network by implementing the pass and/or 
blocking rules, see US 2005/0005017A1 at Fig. 5 reference 530 and 
paragraphs [125]-[131]. 

Claim 35 concems a system for controlling communications over a computer 
network. See US 2005/00050 17A1 at Fig. 1 and paragraph [0034]. The system 
comprises: 

access control devices for the computer network that control communications 
between compartments of the computer network, see US 2005/00050 17A1 
at Fig. 1, reference number 1 14 and paragraph [0035]; 

attack detection system for determining whether the computer network may be 
under attack, see US 2005/0005017A1 at Fig. 1, reference number 1 12 
and paragraph [0035]; and 

a control plane for instructing the access control devices to only allow network 
communications between the host computers in different compartments of 
the computer network based on a usage model describing legitimate 
network communications while restricting all other network 
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communications between tlie liost computers, in response to attack, see 
US 2005/00050 17A1 at Fig. 1, reference CP and paragraph [0036]. 
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Grounds of Rejection to be Reviewed on Appeal 

These are the new grounds of rejection set forth in the pending Office 

Action/Examiner's Answer: 

Issue: 1 Whether 1-10, 12, 17, and 35 are anticipated under 102(b) over 
Lermuzeaux (U.S. Patent No. 5,621,889). 

Issue: 2. Whether claims 11, 16, 19-23, 25-31 and 34 are unpatentable under 35 
U.S.C. 103(a) over Lermuzeaux in further in view of Yadav (US PgPub 2003/0149888). 

Issue: 3. Whether claims 13, 14, and 18 are unpatentable under 35 U.S.C. 103(a) 
over Lermuzeaux as applied above, in further in view of Copeland (US PgPub 
2002/0144156). 

Issue: 4. Whether claim 15 is unpatentable under 35 U.S.C. 103(a) over 
Lermuzeaux in view of Copeland and further in view of Day (US Patent 7,017,186). 

Issue: 5. Whether claims 24 and 32 are unpatentable under 35 U.S.C. 103(a) over 
Lermuzeaux in view of Yadav as applied above, and further in view of Copeland. 

Argument 

With regard to Issue I on Appeal Applicants argue as follows: 
Embodiments of the present invention are directed to protecting a 

communications network, such a computer network, from attack, such as from self- 
propagating code or other breaches to security policies. The network is divided into 
"compartments" that are separated by access control devices, such as firewalls. The 
access control devices are then used to stop security breaches such as the spread of self- 
propagating attack code, the "zero-day" worms, for example. However, the access 
control devices are configured, such that upon activation, legitimate network services will 
not be jeopardized. 

The invention capitalizes on the insight that much of the problem with zero-day 
worms and other attacks originates from network resources that are not in normal use. By 
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blocking traffic that is atypical for a particular network (for instance: database 
connections between two desktop systems that never normally speak a database protocol) 
the system is able to generate blocking actions that stifle the majority of attacks. On the 
other hand, the system is much less likely to disrupt business processes, since access 
control devices will still permit network communications that exhibit behavior that are 
characteristic of normal communication pattems on the network, i.e., behavior 
characterized by pass rules that are also deployed to the access control devices. 

The system described in the Lermuzeaux has some similarities to the system of 
the instant application. Lermuzeaux describes, for example, modeling behavior. 
Nevertheless, what the system of Lermuzeaux lacks is something akin to the claimed: 1) 
multiple access control devices compartmentalizing the network; and 2) a control plane, 
which instructs the access control devices to allow network communications between the 
compartments of the computer network based on a usage model describing legitimate 
network communications. 

-Independent claims 1 and 35 

It is well established that a claim is anticipated under 35 U.S.C. §102, only if each 
and every element of the claim is found in a single prior art reference. Veregal Bros, v 
Union Oil Co. of Califomia, 814 F.2d 628, 631, 2USPQ2d 1051, 1053 (Fed. Cir. 1987). 
Here, the independent claims contain two features that are not shown by Lermuzeaux, 
thus necessitating withdrawal of the rejection. 

First, each of the independent claims requires access control devices that control 
communications between compartments of the computer network, claim 1 , and access 
control devices to only allow network communications between the host computers in 
different compartments of the computer network, claim 35. 

The pending Office Action argues that this feature is taught by Lermuzeaux. 
Applicants respectfully disagree. Generally, Lermuzeaux takes an approach that is 
consistent with many of the systems in this art. It focuses on preventing intrusions into 
the computers. See Lermuzeaux title: Facility for Detecting Intruders and Suspect 
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Callers in a Computer Installation and a Security System Including such a Facility. 
Certainly column 6, lines 38-40, of Lermuzeaux, which were cited for disclosing this 
claimed feature, only discuss intrusion protection: 

Tlie efectom 6 are pxc^e^sse^s or other ageois eoabliog 
restraiumg measures to be ImpieoieMed for couBtering 
40 aitenipts ai ioimsioo, they are embedded in the software of 
tbe machine 2 to which they mc allocalM. Ib the emfeodi- 

Thus, Lermuzeaux does not teach access control devices deployed to 
compartmentalize a network. 

Instead, Lermuzeaux teaches a different approach. It appears that in the 
Lermuzeaux system the software of the "Facility for Detecting Intruders" is installed on 
each client within the network. Supporting this interpretation is the following portion of 
column 6 of Lermuzeaux: 

Afcuoraial computei actiiMS are detected from daia sap- 
10 plied by sensors 5 allocated to each madjine 2 in the 
coiriputer iri&tallation. ^The sessors 5 are embedded in the 
software of the mscMne 2 to wtiM they are allocated, and 
in particular in the operating system thereof, given reference 
2A herein, in its basic soft^^vare IB, in its application 
15 software 2C, and m its application interface 2D. 

Thus, the claimed network compartmentalization is very different from the 
approach of Lermuzeaux, which tries to prevent intrusion at the level of the computers on 
the network. 

In short, there is nothing to support the assertion that the use of multiple access 
control devices to compartmentalize the network is taught by Lermuzeaux. 

Moreover, this theme of compartmentalization has been consistently described as 
an important feature of the present invention as expressed in paragraph [0012] of US 
2005/0005017A1: 
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[061.2J Ttm pMrnni ur^^nmm is diteoitd i£> ^ lechiskpi^j; for 

netwoAjt from attack* swh as from &di»propagati:«g cod^s or 
other breaches to Micuiity polkks. The oetwork is divided 
mi€i ''ctfmparlm^^is-" loBi are sepi^rato:! by access cQoiml 
devkess^ mch m ii^w^lh. ^Tlie aocs^&s ccsntrol devices ^usj 
tlt«?ja mcA to the ^veasrily btcBi^ mich m the ^prmd of 
§5^^lf'p.TOpaga.ting Ulmk code^ tte ''zmonhy'" worms, for 
emmpk. ilomver, tkc acccsj* control devices arc coofig- 

Thus, for this reason the present claimed invention is distinguishable over the 

applied reference. 

The present claimed invention is also distinguishable for having a usage model 
defining communications that are allowed by the access control device while restricting 
other communications during an attack. Specifically claim 1 requires: "a control plane 
for instructing the access control devices to allow network communications between the 
compartments of the computer network based on a usage model describing legitimate 
network communications while restricting other network communications between the 
compartments, in response to attack"; and claim 35 requires "a control plane for 
instructing the access control devices to only allow network communications between the 
host computers in different compartments of the computer network based on a usage 
model describing legitimate network communications while restricting all other network 
communications between the host computers". 

In short, the present claimed invention responds to an attack by causing access 
control devices, such as firewalls, to allow communications during an attack, not simply 
block certain communications. This distinguishes the invention from the applied 
reference. 

Column 13, lines 3-13 of Lermuzeaux were cited for disclosing this claimed 
attack response: 
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performed to check tiie profile of m eniity. The measure- 
ments carrespDnding to its char acteri sties are performed on 
the behavior and they arc coTiipared wi:th tbe values recorded 5 
in the archived profile. Overall coiifomiity with the archived 
profile is evaluated, for exai3ipk> on tl^e basis of coiTespon- 
deooes for individual nieasurements^ witii an anomaly beiiig 
indicated if conformity is considered as bsing pmi. 

To thm end, the profile checlcer 127 uses the target model 
data bam 14 mid Lte behavior image fact base 17, together 
with a profile data base 26. Il: co-operates with the abstractor 
ilf) mid Willi the tehavior investigator HZ More particii- 
ii informs the suspicion md mmmn manager 13. 

This portion of Lermuzeaux fails to mention compartmentalization or allowing certain 
communications between compartments in response to attack. Instead, this portion 
merely discusses how measurements are compared to established profiles. 

The problem with this Lermuzeaux approach is that it cannot guarantee that the 
critical communications required to be carried by the network will continue to take place. 
As described in the example of paragraph [001 1] of present application US 
2005/0005017A1: 

The problem with Ihc; cxi^amg siiiy^tcmi?^ fi>r dc^e^d- 
u^g again¥>l sliacks=» .^i^efe sjiv fmm womi?^ m that tht^ in xm 
mcchmmm for assimsig thai bbcking actior^s laktn by the 
fir^walk will ™i bk?ck sjj^fvk^s f h^^: m^- in kgitimate um on 
i\m mtmyilL Thm^ mx ixmtkmkm. ctoMog to clq^toy tbese 

agisinM attack sod presej"sang leg^iim^^te neiwoA cammaMii- 
catkm m the eveai of m actual ok .^mpected atlack. Con:- 
S4?quc3iil,>> mmc imtiXixliom ihM hmx mission-critical com- 
niuojcsittoos over ih^k B*-^twt>s^k:s will mate campmmij^s m 
i\m i^iY^mmmH of ih<^ dc^fen^^ fimt k jX30ia:3.s-£;cl agai^j^ii- mt 
attack iB ortfer to ensure that Uieise iiiipoitaDt mmmtjmca- 

To address this problem, the claimed invention requires specific functionality: 
allowing communications between network compartments based on a usage model. This 
is neither shown nor suggested by the appUed reference. Moreover, this difference 
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provides clear performance advantages by ensuring that mission-critical communications 
would not be blocked in an attack. 

-Dependent claims 2-4 

Claim 2 describes that the network that is compartmentalized is an enterprise 
network or service provider or public network. Thus, these claims further highlight the 
distinction drawn previously concerning the lack of teaching of network 
compartmentalization in the applied reference. 

The applied reference does not teach compartmentalization of this specific type of 
network. The pending Office Action asserts to the contrary, citing column 1, lines 26-30 
of Lermuzeaux: 

Numerous pmseot-day compiiter insmllalions, be ihey 
provided, wilh ccolmlked processor tiidts or be Ibey orga- 
nized m networks iotercoaoecting geograplucally distiib- 
iited processor umis^ have various access points for serving 
tiiair users. The number of such points and the ease with 3^ 

This portion does not mention the enterprise network, however. 

With respect to the rejection of claims 3 and 4, here the Office Action admits that 
the subject matter of the claims is not taught but argues that it would have been an 
obvious modification: 
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6, Referring: to claim 3, Lermuzeaux discloses a s^ystem as daimed m cXalm 1, but 
does not expltcitfy disclose wherein the computer network is a service providler network. 
The Examiner argues thBX the method of network prowling could be used on any 
network corKjerned with monitonng communications, moreover, nolfitng in Lermuzeaux 
predudes the niethod from b^tig en>bodled in a service [wvs(fer networl^, thus this 

would have been an obvious modification over Lermuzeaux, as woufd have been readjfy 
apparent to one of ordinary skill in the art 

6. Referring to cfaim 4, Lermuzeaux dfscloses a syst^yr* as daimed in claim 1, but 
does not explicitly disclose wherein the computer network is a public network. The 
Examiner argues that the method of network profiling could be used on any network 
concerned with monitoring communica^ns, moreover, nothing in Lermuzeaux 
precludes the method from being embodied in a public network, thus this would have 
been an obvious modfficatjon over Lermuzeaux, as would have been readily apparent to 
one of ordinary skill in the art. 

However, the rejection is based on anticipation. So what is obvious or not is 
without relevance. 

Thus, the rejections of these claims should also be withdrawn. 

With regard to Issue 2 on Appeal Applicants argue as follows : 
The Examiner bears the initial burden of establishing a prima facie case. In re 

Oetiker, 977 F.2d 1443, 1445 (Fed. Cir. 1992). To establish a prima facie case of 

obviousness, all the claim features must be taught by the prior art. In re Royka, 490 F.2d 

981, 985 (CCPA 1974). If examination at the initial stage does not produce a prima facie 
case of unpatentability, then without more the applicant is entitled to a grant of the patent. 
Oetiker, 977 F.2d at 1445. 

Independent claim 21 requires control devices compartmentalizing the computer 
network in response to the characteristics of the attack. 
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As described above, Lermuzeaux fails to mention compartmentalization or 
allowing certain communications between compartments in response to attack. These 
features are similarly not described in Yadav. Thus, there is no prima facie obviousness. 

-Dependent claims 20 and 34 

Dependent claims 20 and 34 specify how the blocking rules are generated in 
contrast to how the pass rules are generated. In more detail, claim 20 requires that "the 
pass rules are generated from the usage model and the blocking rules are generated from 
the protocol information and/or port information characteristic of the attack." 

Nothing in the applied references suggests this way of generating pass rules as 
opposed to blocking rules. Neither of the references teaches the notion of using "pass 
rules" as claimed. And certainly, neither of the applied references teaches how such rules 
should be generated. 

With regard to Issue 3 on Appeal Applicants argue as follows : 
This rejection is traversed for the reasons presented above with respect to the 

independent claims since the secondary references fail to provide the teaching missing 

from Lermuzeaux. 

With regard to Issue 4 on Appeal Applicants argue as follows : 
This rejection is traversed for the reasons presented above with respect to the 

independent claims since the secondary references fail to provide the teaching missing 

from Lermuzeaux. 

With regard to Issue 5 on Appeal Applicants argue as follows : 
This rejection is traversed for the reasons presented above with respect to the 

independent claims since the secondary references fail to provide the teaching missing 

from Lermuzeaux. 
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Conclusion 

For the foregoing reasons. Applicants believe that the pending rejections should 
be withdrawn, and that the present application should be passed to issue. Should any 
questions arise, please contact the undersigned. 



Respectfully submitted, 
Houston EUseeva LLP 



By / grant houston/ 
J. Grant Houston 
Registration No.: 35,900 
4 Militia Drive, Ste 4 
Lexington, MA 02421 
Tel.: 781-863-9991 
Fax: 781-863-9931 



Date: April 6, 2009 
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Claims Appendix 

1. (Previously presented) A system for controlling communications over a 
computer network, the system comprising: 

access control devices for the computer network that control communications 

between compartments of the computer network; 
attack detection system for determining whether the computer network may be 
under attack; and 

a control plane for instructing the access control devices to allow network 
communications between the compartments of the computer network 
based on a usage model describing legitimate network communications 
while restricting other network communications between the 

compartments, in response to attack. 

2. (Original) A system as claimed in claim 1, wherein the computer network is 
an enterprise network. 

3. (Original) A system as claimed in claim 1, wherein the computer network is a 
service provider network. 

4. (Original) A system as claimed in claim 1, wherein the computer network is a 
public network. 

5. (Original) A system as claimed in claim 1, wherein the access control devices 
compartmentalize the computer network into separate sub-networks of network 

devices. 

6. (Original) A system as claimed in claim 1, wherein the access control devices 
separate host computers from the computer network. 

7. (Original) A system as claimed in claim 1, further comprising a network 

modeling system for generating the usage model. 
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8. (Original) A system as claimed in claim 7, wherein the network modeling 
system receives flow information describing communications between network 
devices. 

9. (Original) A system as claimed in claim 8, wherein the flow information is 
collected by network communications devices. 

10. (Original) A system as claimed in claim 8, wherein the flow information is 
collected by the access control devices. 

1 1 . (Original) A system as claimed in claim 8, wherein the network modeling 
system discards flow information between network devices in the computer 
network and network devices extemal to the computer network. 

12. (Original) A system as claimed in claim 7, wherein the network modeling 
system compares new network communications to the usage model and updates 
the usage model if the new network communications are not described by the 
usage model. 

13. (Original) A system as claimed in claim 1, wherein entries in the usage 
model comprise source addresses, destination addresses, source ports, and 
destination ports derived from the network communications. 

14. (Original) A system as claimed in claim 1, wherein entries in the usage 
model comprise source addresses, destination addresses, source ports, and 
destination ports derived from the network communications in addition to time 
stamp information indicating when the network communication was last detected. 

15. (Original) A system as claimed in claim 1, wherein entries in the usage 
model comprise source addresses, destination addresses, source ports, and 
destination ports derived from the network communications in addition to 
frequency information indicating a frequency of the network communication. 
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16. (Original) A system as claimed in claim 1, wherein the attack detection 
system monitors communications over the computer network for attack using 
signature detection. 

17. (Original) A system as claimed in claim 1, wherein the attack detection 
system performs heuristic modeling to determine whether the computer network 
is under attack. 

18. (Original) A system as claimed in claim 1, wherein the attack detection 
system monitors communications over the computer network for attack by 
monitoring changes in connections between network devices. 

19. (Original) A system as claimed in claim 1, wherein the control plane receives 
protocol information and/or port information characteristic of the attack and 
generates pass and/or blocking rules for the access control devices. 

20. (Original) A system as claimed in claim 1, wherein the control plane receives 
protocol information and/or port information characteristic of the attack and 
generates pass rules and blocking rules for the access control devices, in which 

the pass rules are generated from the usage model and the blocking rules are 
generated from the protocol information and/or port information characteristic of 
the attack. 

21 . (Previously presented) A method for responding to an attack on a computer 
network, the method comprising: 

generating a usage model for the computer network; 

determining whether the computer network may be under attack; 

in response to detecting attack, determining characteristics of the attack; and 

generating instructions to access control devices compartmentalizing the 

computer network in response to the characteristics of the attack, wherein 
the step of generating instructions to the access control devices comprises 
formulating pass and/or blocking rules for the access control devices in 
response to protocol characteristics and/or port characteristic of the attack; 
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issuing tlie instructions to the access control device which then 

compartmentalize the computer network by implementing the pass and/or 
blocking rules. 

22. (Original) A method as claimed in claim 21, wherein the step of generating 
the usage model comprises saving records describing network communications to 
and from network devices on the computer network. 

23. (Original) A method as claimed in claim 21, wherein the step of generating 
the usage model comprises saving records describing network communications 
between network devices on the computer network. 

24. (Original) A method as claimed in claim 21, wherein the step of generating 
the usage model comprises saving records that include port, protocol, source 
address and destination address of network communications to and from network 
devices on the computer network. 

25. (Original) A method as claimed in claim 21, further comprising the step of 
the access control device compartmentalizing the computer network into separate 

sub-networks of network devices. 

26. (Original) A method as claimed in claim 21, further comprising the step of 
the access control device compartmentalizing the computer network by separating 
host computers from the computer network. 

27. (Original) A method as claimed in claim 21, wherein the step of generating a 
usage model comprises: 

collecting flow information at network communications devices; and 
passing the flow information to a network modeling system. 

28. (Original) A method as claimed in claim 27, wherein the step of collecting 
flow information is performed by the access control devices. 
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29. (Original) A method as claimed in claim 21, wherein the step of generating a 
usage model comprises comparing network communications to the usage model 
and updating the usage model if the network communications are not described by 
the usage model. 

30. (Original) A method as claimed in claim 21, wherein the step of determining 
whether the computer network may be under attack comprises monitoring 
network communications for attack signatures. 

3 1 . (Original) A method as claimed in claim 2 1 , wherein the step of determining 
whether the computer network may be under attack comprises performing 
heuristic modeling to determine whether the computer network is under attack. 

32. (Original) A method as claimed in claim 21, wherein the step of determining 
whether the computer network may be under attack comprises monitoring 
changes in connections between network devices. 

33. (Cancelled) 

34. (Previously presented) A method as claimed in claim 21, wherein the step of 
generating instructions to the access control devices comprises generating pass 
rules and blocking rules for the access control devices, in which the pass rules are 
generated from the usage model and the blocking rules are generated from 
protocol and/or port characteristics of the attack. 

35. (Previously presented) A system for controlling conmiunications over a 
computer network, the system comprising: 

access control devices for the computer network that control communications 

between compartments of the computer network; 
attack detection system for determining whether the computer network may be 

under attack; and 

a control plane for instructing the access control devices to only allow network 
communications between the host computers in different compartments of 
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the computer network based on a usage model describing legitimate 
network communications while restricting all other network 
communications between the host computers, in response to attack. 
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